Security Firm Dangles $500,000 for iOS 0-Days

Researchers looking to cash in on working exploits for 0-day and N-day vulnerabilities can now turn to a new bounty program from Exodus Intelligence, which is offering up to $500,000 for certain exploits.

Exodus Intelligence’s Research Sponsorship Program (RSP), which is focused on acquiring vulnerability research and exploits, is now looking for exploits for both zero-day and N-day vulnerabilities, the company announced.

The bounties promised by the company are substantial: working Apple iOS exploits can earn researchers up to $500,000, while working Microsoft Edge exploits could go for as much as $125,000.

Exodus also reveals that a new bonus structure is rolling out for the acquisition of research and exploits for 0-day vulnerabilities. The company will offer the researcher an initial payment for each of the new 0-day acquired, but only after the request has been reviewed and accepted, and might also send the researcher additional payments every quarter the Zero-Day exploit is still alive.

News of the program comes less than a week after Apple announced that it would offer up to $200,000 for finding vulnerabilities in its products.

“The specific values of the initial payment and quarterly bonus will be included in an offer presented to the researcher, following the review of their work. Additionally, Exodus also offers payment in the form of Bitcoin for Zero-Day research,” the company says.

The RSP website is where the 0-day hitlist can be found, and developers interested in entering the program should register there. Even researchers focused on different areas are encouraged to contact Exodus for consideration.

Interested developers should submit their research through the RSP website and the company promises a response within 10 business days. Depending on the completeness of the research, larger payments could be offered, and researchers might also receive public acknowledgement, if desired, Exodus says.

The $500,000 payout for iOS exploits matches that offered by exploit acquisition firm Zerodium in program announced late last year. For a short period, Zerodium even offered up to $1 million for an iOS 9 exploit, which was awarded to Pangu Team, a Chinese group specializing in iOS jailbreaks.

When it comes to N-day exploits, Exodus says it would consider and purchase only fully functional exploits.

“Through the launch of the RSP, Exodus is excited to be engaging the global research community in our mission to provide the highest quality of vulnerability intelligence in the industry. This additional source of research, supplemented by the investigation and validation of our world-class team, will continue to ensure that our clients receive early notification of the most critical vulnerabilities so that they can offer the best defense possible,” Logan Brown, President, Exodus Intelligence, says.